How to resolve security vulnerability of Guava dependency for Alluxio?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

How to resolve security vulnerability of Guava dependency for Alluxio?

Omkar Naidu
Hi Team,

I am building Alluxio from source,I found few dependencies have security vulnerabilities,I updated them to the recent/(no vulnerability) versions,but while updating following dependency(com.google.guava:guava:14.0.1), I found it requires lot of classes need to be changed from Guava Object class to MoreObjects class.

Guava has security vulnerability from 11.0 to 24.x,anything more than 24.x has few methods moved to MoreObjects class from Objects class so if we are updating the Guava dependency we need change lot of classes in source.

I filed a jira for the same (https://alluxio.atlassian.net/browse/ALLUXIO-3322) with vulnerability details ,components and versions impacted, please let me know if the vulnerability can be ignored/it has any impact/Is there any plan to update the dependency?

Regards
Omkar

--
You received this message because you are subscribed to the Google Groups "Alluxio Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: How to resolve security vulnerability of Guava dependency for Alluxio?

Bin Fan
Hi Omkar,

I think it is definitely a good idea to upgrade from Guava 14.0 to a higher version to patch the security vulnerability.
One complication for Alluxio is that, Alluxio client will provide Guaba library in the shaded uber jar.
We need to evaluate that if a higher version of Guava will conflict other application engines like Spark (which depends on Guava 14.0).
In the worst case, we may need to shade Guava in Alluxio which may require more work.

But definitely, we should resolve this for the new version of Alluxio 2.0.

- Bin

On Mon, Sep 24, 2018 at 2:14 AM Omkar Naidu <[hidden email]> wrote:
Hi Team,

I am building Alluxio from source,I found few dependencies have security vulnerabilities,I updated them to the recent/(no vulnerability) versions,but while updating following dependency(com.google.guava:guava:14.0.1), I found it requires lot of classes need to be changed from Guava Object class to MoreObjects class.

Guava has security vulnerability from 11.0 to 24.x,anything more than 24.x has few methods moved to MoreObjects class from Objects class so if we are updating the Guava dependency we need change lot of classes in source.

I filed a jira for the same (https://alluxio.atlassian.net/browse/ALLUXIO-3322) with vulnerability details ,components and versions impacted, please let me know if the vulnerability can be ignored/it has any impact/Is there any plan to update the dependency?

Regards
Omkar

--
You received this message because you are subscribed to the Google Groups "Alluxio Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Alluxio Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: How to resolve security vulnerability of Guava dependency for Alluxio?

Bin Fan
Hi Omka,

I created a JIRA to address this issue: https://alluxio.atlassian.net/browse/ALLUXIO-3330
targeting Alluxio 2.0.

Feel free to put more feedback here or on the JIRA

- Bin

On Mon, Sep 24, 2018 at 10:04 AM Bin Fan <[hidden email]> wrote:
Hi Omkar,

I think it is definitely a good idea to upgrade from Guava 14.0 to a higher version to patch the security vulnerability.
One complication for Alluxio is that, Alluxio client will provide Guaba library in the shaded uber jar.
We need to evaluate that if a higher version of Guava will conflict other application engines like Spark (which depends on Guava 14.0).
In the worst case, we may need to shade Guava in Alluxio which may require more work.

But definitely, we should resolve this for the new version of Alluxio 2.0.

- Bin

On Mon, Sep 24, 2018 at 2:14 AM Omkar Naidu <[hidden email]> wrote:
Hi Team,

I am building Alluxio from source,I found few dependencies have security vulnerabilities,I updated them to the recent/(no vulnerability) versions,but while updating following dependency(com.google.guava:guava:14.0.1), I found it requires lot of classes need to be changed from Guava Object class to MoreObjects class.

Guava has security vulnerability from 11.0 to 24.x,anything more than 24.x has few methods moved to MoreObjects class from Objects class so if we are updating the Guava dependency we need change lot of classes in source.

I filed a jira for the same (https://alluxio.atlassian.net/browse/ALLUXIO-3322) with vulnerability details ,components and versions impacted, please let me know if the vulnerability can be ignored/it has any impact/Is there any plan to update the dependency?

Regards
Omkar

--
You received this message because you are subscribed to the Google Groups "Alluxio Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Alluxio Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: How to resolve security vulnerability of Guava dependency for Alluxio?

Omkar Naidu
Thanks Bin for addressing the issue,I will update the Jira.

Regards
Omkar

On Wed, 3 Oct 2018 at 3:29 AM, Bin Fan <[hidden email]> wrote:
Hi Omka,

I created a JIRA to address this issue: https://alluxio.atlassian.net/browse/ALLUXIO-3330
targeting Alluxio 2.0.

Feel free to put more feedback here or on the JIRA

- Bin

On Mon, Sep 24, 2018 at 10:04 AM Bin Fan <[hidden email]> wrote:
Hi Omkar,

I think it is definitely a good idea to upgrade from Guava 14.0 to a higher version to patch the security vulnerability.
One complication for Alluxio is that, Alluxio client will provide Guaba library in the shaded uber jar.
We need to evaluate that if a higher version of Guava will conflict other application engines like Spark (which depends on Guava 14.0).
In the worst case, we may need to shade Guava in Alluxio which may require more work.

But definitely, we should resolve this for the new version of Alluxio 2.0.

- Bin

On Mon, Sep 24, 2018 at 2:14 AM Omkar Naidu <[hidden email]> wrote:
Hi Team,

I am building Alluxio from source,I found few dependencies have security vulnerabilities,I updated them to the recent/(no vulnerability) versions,but while updating following dependency(com.google.guava:guava:14.0.1), I found it requires lot of classes need to be changed from Guava Object class to MoreObjects class.

Guava has security vulnerability from 11.0 to 24.x,anything more than 24.x has few methods moved to MoreObjects class from Objects class so if we are updating the Guava dependency we need change lot of classes in source.

I filed a jira for the same (https://alluxio.atlassian.net/browse/ALLUXIO-3322) with vulnerability details ,components and versions impacted, please let me know if the vulnerability can be ignored/it has any impact/Is there any plan to update the dependency?

Regards
Omkar

--
You received this message because you are subscribed to the Google Groups "Alluxio Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Alluxio Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Alluxio Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.